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We study encodings from CSP into asynchronous CCS with name passing and matching, so in fact, 
the asynchronous TT-calculus. By doing so, we discuss two different ways to map the multi-way 
synchronisation mechanism of CSP into the two-way synchronisation mechanism of CCS. Both en¬ 
codings satisfy the criteria of Gorla except for compositionality, as both use an additional top-level 
context. Following the work of Parrow and Sjodin, the hrst encoding uses a central coordinator and 
establishes a variant of weak bisimilarity between source terms and their translations. The second 
encoding is decentralised, and thus more efficient, but ensures only a form of coupled similarity 
between source terms and their translations. 

1 Introduction 

In the context of a scientific meeting on Expressiveness in Concurrency and Structural Operational Se¬ 
mantics (SOS), likely very little needs to be said about the process algebras (or process calculi) CSP and 
CCS. Too many papers have been written since their advent in the 70’s to be mentioned in our own pa¬ 
per; it is instructive, though, and recommended to appreciate Jos Baeten’s historical overview [1], which 
also places CSP and CCS in the context of other process algebras like ACP and the many extensions by 
probabilities, time, mobility, etc. Here, we just select references that help to understand our motivation. 

Differences. From the beginning, although CSP f8] and CCS ifTTll were intended to capture, describe 
and analyse reactive and interactive concurrent systems, they were designed following rather different 
philosophies. Tony Hoare described this nicely in his position paper [91 as follows: “A primary goal in the 
original design of CCS was to discover and codify a minimal set of basic primitive agents and operators 
... and a wide range of useful operators which have been studied subsequently are all definable in ferms 
of CCS primifives.” and “CSP was more inferesfed in fhis broader range of useful operafors, independenf 
of which of fhem mighf be selecfed as primifive.” So, af fheir heart, fhe fwo calculi use fwo differenl 
synchronisation mechanisms, one (CCS) using binary, i.e., fwo-way, handshake via mafching actions 
and co-acfions, fhe ofher (CSP) using multiway synchronisafion governed by explicif synchronisation 
sefs fhaf are fypically affached fo parallel composifion. Anofher difference is fhe focus on Sfrucfural 
Operafional Semantics in CCS, and fhe definifion of behavioural equivalences on lop of fhis, while CSP 
emphasised a Irace-based denolafional model, enhanced wilh failures, and fhe question on how lo design 
models such thal Ihey salisfy a given sel of laws of equivalence. 

Comparisons. From fhe early days, researchers were inferesfed in more or less formal comparisons 
belween CSP and CCS. This was carried oul by bofh Hoare [9j and Milner ifT^ fhemselves, where fhey 
concentrate on the differences in the underlying design principles. But also other researchers joined the 
game, but with different analysis tools and comparison criteria. 

* Supported by the DFG via project “Synchronous and Asynchronous Interaction in Distributed Systems”. 
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For example, Brookes |[2l contributed a deep study on the relation between the underlying abstract 
models, synchronisation trees for CCS and the failures model of CSP. Quite differently, Lanese and 
Montanari lITOl used the respective power to transform graphs as a measure for the expressiveness of the 
two calculi. 

Yet completely differently, Parrow and Sjodin II161I22II tried to find an algorithm to implement—best 
in a fully distributed fashion—the multiway synchronisation operator of CSP (and its variant LOTOS 
ll2l f using the supposedly simpler two-way synchronisation of CCS. They came up with two candi¬ 
dates—a reasonably simple centralised synchroniser, and a considerably less simple distributed syn- 
chroniseiQ— and proved that the two are not weakly bisimilar, but rather coupled similar, which is only 
slightly weaker. Coupled simulation is a notion that Parrow and Sjodin invented for just this purpose, 
but it has proved afterwards to be often just the right tool when analysing the correctness of distribution- 
and divergence-sensitive encodings that involve partial commitments (whose only effect is to gradually 
perform internal choices) ifTSll . 

The probably most recent comparison between CSP and CCS was provided by van Glabbeek [5)1. 
As an example for his general framework to analyse the relative expressive power of calculi, he studied 
the existence of syntactical translations from CSP into CCS, for which a common semantical domain is 
provided via labeled transition systems (LTS) derived from respective sets of SOS rules. The comparison 
is here carried out by checking whether a CSP term and its translation into CCS are distinguishable with 
respect to a number of equivalences defined on fop of fhe LTS. The concrefe resulfs are: (1) there is a 
translation that is correct up to trace equivalence (and contains deadlocks), and (2) there is no translation 
that is correct up to weak bisimilarity equivalence that also takes divergence into account. 


Contribution. Given van Glabbeks negative result, and given Parrow and Sjddins algorithm, we set 
out to check whether we can define a synfacfical encoding from CSP info CCS—using Parrow and 
Sjodins ideas—thaf is correcf up fo coupled simulafion. We almosf managed. In this paper, we report 
on our current results along these lines: (1) Our encoding target is an asynchronous variant of CCS, 
but enhanced with name-passing and matching, so it is in fact the asynchronous Ti-calculus; we kept 
mentioning CCS in the title of this paper, as it clearly emphasises the origin and motivation of this work. 
But, we could not do without name-passing. (2) We exhibit one encoding that is not distributability- 
preserving (so, it represents a centralised solution), but is correct up to weak bisimilarity and does not 
introduce divergence. This does not contradict van Glabbeek’s results, but suggests the observation that 
van Glabbeek’s framework implies some form of distributability-preservation. (3) We exhibit another 
encoding that is distributability-preserving and divergence-reflecting, but is only correct up to coupled 
similarity. 


Overview. This paper is an extended version—^providing the missing proofs and some additional infor¬ 
mations—of fTj. We introduce the considered variants of CSP and CCS in §|2l There we also introduce 
the criteria—that are (variants of) the criteria in |Ibil and ll2Tll — modulo which we prove the quality of the 
considered encodings. In § [3] we introduce the inner layer of our two encodings. It provides the main 
machinery to encode synchronisations of CSP. We complete this encoding with an outer layer that is 
either a central (§|4l) or a de-central coordinator (§|5ll. In §0we discuss the two encodings. 


'Recently il. a slight variant of the protocol behind this algorithm was used to implement a distributed compiler for a 
substantial subset of LOTOS that yields reasonably efficient C code. 
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2 Technical Preliminaries 

Let J/ be the countably-infinite set of names, let t ^ jY, and let JV the set of co-names, i.e., JV = 
{fl I a € ^}. A process calculus (^,i—>■) consists of a set of processes (syntax) and a relation 
I —y C (semantics). T denotes an internal, i.e., unobservable, action. We use a,b,x,... to range 
over names and P,Q,... to range over processes. We use a, j3 ... to range over jV U {t}. a denotes a 
sequence of names. Let fn(P) and bn(P) denote the sets of free names and bound names occurring in P, 
respectively. Their definitions are completely standard. We use a, a', ai,... to range over substitutions. 
A substitution is a mapping ,... from names to names. The application of a substitution on a 
term P[^'/yi > • • • )^"/>’„] defined as fhe resulf of simulfaneously replacing all free occurrences of y,- by x,- 
for / G { 1,... }. For all names in .jY \ { yi, •. • ,y« } the substitution behaves as the identity mapping. 

We naturally extend substitutions to co-names, i.e., Va € jY. o{a) = o{a) for all substitutions a. The 
relation i—as defined in fhe semantics below defines fhe reducfion sfeps processes can perform. We 
wrife P I—;■ P' if {P,P') €i—y and call P' a derivative of P. Lef l=> denofe fhe reflexive and fransifive 
closure of i— y. P is divergent if if has an infinife sequence of sfeps P i— y^. We use barbs or observables 
fo disfinguish befween processes wifh differenf behaviours. We wrife PJ,^ if P has a barb a, where fhe 
predicafe • J,. can be defined differenf for each calculus. Moreover P reaches a barb a, if P a reaches a 
process wifh fhis barb, i.e., PJJ-ce — 3P'. P l=^ P' AP'Ice- 

We use a varianf of CSP |'8], where prefixes only occur behind exfemal choice. 

Definition 1. The processes are given by 

P::=P|UP I DIV I STOP | PHP | P/b \ f{P) \ X \ fxX-P \ EieX^^P- 

where X G is a process variable, A C ,yY, and is an index sef. 

P||a 2 is fhe parallel composifion of P and Q, where P and Q can proceed independenfly excepf 
for actions a G A, on which fhey have fo synchronise. The process DIV describes divergence. STOP 
denotes inaction. The internal choice operator PUQ reduces fo eifher P or Q wifhin a single infernal 

step. Concealment P/b hides an action b and masks if as T. Renaming f{P) for some / : jY JY 

wifh /(t) = T behaves as P, where a is replaced by /(a) for all a G JY . The recursion jiX • P describes 
a process behaving like P wifh every occurrence of X being replaced by jJtX ■ P. Finally fhe external 
choice Eiejf Pi represenfs a choice befween fhe differenf action prefixes a, —> • followed by fhe 
corresponding continuation P,. The process can perform any a, and fhen behave like P,. 

As usual we use MnN to denofe binary exfemal choice. The CSP semantics is given by fhe rules, 
where we infroduce labelled steps —)• firsf and fhen use fhem fo define i— y: 
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the Definition of distributability in |[2TI a CSP term P is distributable into if are 

subterms of P such that each action prefixes in P occurs exactly in one of the Pi,... ,P„, where different 
but syntactically equivalent action prefixes are distinguished and unguarded occurrences of /rX • P' may 
result in several copies of P' within the Pi,... ,P„. 

As target calculus we use an asynchronous variant of CCS iHTl with name-passing and matching. 

Definition 2. The processes J^ccs are given by 

P::=P|P I (vc)(P) I *c{x).P \ £(x).P | c{x) \ [c = z\P \ 0 

P I 2 is the parallel composition of P and Q, where P and Q can either proceed independently or 
synchronise on channels with matching names. {vd){P) restricts actions d on P, forcing all sub-terms 
of P to synchronise on these actions. a{x).P denotes input on channel a. d{x) is output on channel a. 
Note that because there is no continuation we interpret this calculus as asynchronous. We use *c_{x) .P to 
denote replicated input on channel c with the continuation P. [x = y]P is the matching operator, if x = y 
then P is enabled. 0 denotes inaction. 

The CCS semantics is given by following transition rules: 

P^P' P^P' P = P' P'^Q' Q' = Q 

P\Q^P'\Q (vc)(P)^(vc)(P0 P^G 

_ *c{x).p I c(y) I— ^ *c(x).P I P\y/x] c{y) \ c{x).Q i—^ P | Q\y/x] _ 

where = denotes structural congruence given by the rules: P | 0 = P, P | 2 = 2 I ^ I (2 I I 2) I 

R, (vd)(0) = 0, P I (vd)(2) = (vd)(P I 2) if bn(d) ^ fn(P), [x = x]P = P and [x = y]P = 0 if x /y. As 
discussed in a CCS term P is distributable into Pi,... ,P„ if P = (vx)(Pi | ... | P„). 

2.1 Simulation Relations 

The semantics of a process is usually considered modulo some behavioural equivalence on processes. 
For many calculi the standard reference equivalence is some form of bisimulation. Since in the context 
of encodings, i.e., translation between different languages that can differ in their interpretation of what 
is considered a barb, reduction steps are easier, we use a variant of weak reduction bisimulation. With 
Gorla lO, we add a success operator / to the syntax of both CSP and CCS. Since / cannot be further 
reduced, the semantics is left unchanged in both cases. The test for the reachability of success is standard 
in both languages, i.e., P4-/ = 3P'. P = / | P'. To obtain a non-trivial equivalence, we require that the 
bisimulation respects success and the reachability of barbs. Therefore we use the standard definition of 
barbs in CSP, i.e., action-prefixes, for CSP-barbs. Our encoding function will translate all source terms 
into closed terms, thus the standard definition of CCS barbs would not provide any information. Instead 
we use a notion of translated barb (• ) that reflects how the encoding function translates source term 

barbs. Its definition is given in Section |3] 

Definition 3 (Bisimulation). A relation C is a success sensitive, (translated) barb respecting, 
weak, reduction bisimulation if, whenever (P, Q) € then: 

• Pi— >P' implies 3Q'. Qi=^Q'A (P', Q') G 

• 2 I— >Q' implies 3P'. P |=^ P' A (P', Q') G M 

• P^/iff2^/ 

• P and 2 reach the same (translated) barbs, where we use • JJ-q for CSP and • JJ-iy.jja for CCS 

Two terms P, 2 G are bisimilar, denoted as P 2^ if there exists a bisimulation that relates P and Q. 






M. Hatzel, C. Wagner, K. Peters, U. Nestmann 


5 


We use the symbol to denote either bisimilarity on our target language CCS or on the disjoint union 
of CSP and CCS that allows us to describe the relationship between source terms and their translations. 
In the same way we define a corresponding variant of coupled similarity. 

Definition 4 (Coupled Simulation). A relation ^ is a success sensitive, (translated) barb respect¬ 

ing, weak, reduction coupled simulation if, whenever (P, Q) G then: 

• Pi — >P' implies 3Q'. Qi=^Q'a (P', Q') € ^ and 3Q". Q^Q" A {Q” ,P') G 

• P^/iff(2^/ 

• P and Q reach the same (translated) barbs, where we use • for CSP and • for CCS 

Two terms P,Q ^ are coupled similar, denoted as P «cs Q, if there exists a coupled simulation that 
relates P and Q in both directions. 

2.2 Encodings and Quality Criteria 

We consider two different translations from (the above defined varianf of) CSP info (fhe above defined 
varianf of) CCS wifh name passing and mafching. We denofe fhe varianf of CSP as source and fhe 
varianf of CCS as target language and, accordingly, fheir terms as source terms and target terms 
Encodings often translate single source term steps into a sequence or pomset of target term steps. 
We call such a sequence or pomset a simulation of the corresponding source term step. Moreover we 
assume for each encoding the existence of a so-called renaming policy tp, i.e., a mapping of names from 
the source into vectors of target term names. 

To analyse the quality of encodings and to rule out trivial or meaningless encodings, they are aug¬ 
mented with a set of quality criteria. In order to provide a general framework, Gorla in [|6l suggests five 
criferia well suited for language comparison: 

(1) Compositionality: The franslafion of an operafor op is fhe same for all occurrences of fhaf oper¬ 
ator in a term, i.e., if can be capfured by a confexf "^op such fhaf enc(op (xi,... .. ,S,n)) = 

(xi,... ,x„,enc(Si),... ,enc(5„,)) for fn(Si) U ... Ufn(Sm) = N. 

(2) Name Invariance: The encoding does nof depend on particular names, i.e., for every S and a, if holds 
fhaf enc(a(5')) = a'(enc(5')) if a is injecfive and enc(a(5')) x a'(enc(5')) ofherwise, where a' is 
such fhaf q){o (n)) = o' (<p(n)) for every n G xK. 

(3) Operational Correspondence: Every compulation of a source term can be simulated by ifs Iransla- 
lion, i.e., S\=^$S' implies enc(S) I=^t enc(S') (completeness), and every compulation of a largel 
term corresponds lo some compulation of fhe corresponding source lerm (soundness, compare lo 
Secfion|5]l. 

(4) Divergence Reflection: The encoding does nof inlroduce divergence, i.e., enc(5') i—always im¬ 
plies S I —)-3 . 

(5) Success Sensitiveness: A source lerm and ifs encoding answer fhe lesls for success in exaclly fhe 
same way, i.e., yJI/ iff enc(5') JJ-/. 

Operational correspondence and name invariance assume a behavioural equivalence x on fhe largel 
language (fhaf we inslanliafe wifh f«). Ifs purpose is lo describe fhe abslracl behaviour of a largel process, 
where abslracl refers to fhe behaviour of fhe source lerm. By [(til fhe equivalence x is often defined in 
fhe form of a barbed equivalence (as described e.g. in |[T3l ) or can be derived direclly from fhe reducfion 

semantics and is oflen a congruence, al leasl wifh respecf lo parallel composilion. ss is such a relafion. 

Our encodings will satisfy all of Ihese criferia excepl for composifionalily, because bolh encodings 
consisls of Iwo layers. 11211 shows fhaf fhe above criferia do nof ensure fhaf an encoding preserves dislri- 
bulion and proposes a crilerion for fhe preservalion of disfribulabilily. 
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Definition 5 (Preservation of Distributability). An encoding enc(-) preserves distributability if for every 
S and for all terms Si,...,Sn that are distributable within S there are some T\,... ,Tn that are distributable 
within enc(S) such that 7]- x enc(5',) for all I <i <n. 

Here, because of the choice of the source and the target language, an encoding preserves distributability 
if for each sequence of distributable source term steps their simulations are pairwise distributable. In 
both languages two alternative steps of a term are in conflict with each other if they reduce the same 
action-prefix—for CSP—or reduce either the same (replicated) input using two outputs that transmit 
different values, or reduce the same output using two (replicated) inputs with different continuations. 
Two alternative steps that are not in conflict are distributable. 


3 Translating the CSP Synchronisation Mechanism 

CSP and CCS—or the TT-calculus—differ fundamentally in their communication and synchronisation 
mechanisms. In CSP there is only a single kind of action c ^ •, where c is a (channel) name. Synchro¬ 
nisation is implemented by the parallel operator -Ha- that in CSP is augmented with a set of names A 
containing the names that need to be synchronised at this point. By nesting parallel operators arbitrary 
many actions on the same name can be synchronised. In CCS there are two different kinds of actions: 
inputs c and outputs c. Again synchronisation is implemented by the parallel operator, but in CCS only 
a single input and a single matching output can ever be synchronised. 

To encode the CSP communication and synchronisation mechanisms in CCS with name passing we 
make use of a technique already used in II171I19II to translate between different variants of the TT-calculus. 
CSP actions are translated into action announcements augmented with a lock indicating, whether the 
respective action was already used in the simulation of a step. The other operators of CSP are then 
translated into handlers for these announcements and locks. The translation of sum combines several 
actions under the same lock and thus ensures that only one term of the sum can ever be used. The 
translation of the parallel operator combines announcements of actions that need to be synchronised 
into a single announcement under a fresh lock, whose value is determined by the combination of the 
respective underlying locks at its left and right side. Announcements of actions that do not need to be 
synchronised are simply forwarded. A second layer—containing either a centralised or a de-centralised 
coordinator—then triggers and coordinates the simulation of source term steps. 

Action announcements are of the form a(c, r, l,r'): c is the translation of the source term action, r 
is used to trigger the computation of the Boolean value of I. The lock I evaluates to T as long as the 
respective translated action was not successfully used in the simulation of a step, r' is used to guard the 
encoded continuation of the respective source term action. In the case of a successful simulation attempt 
involving this announcement, an output r'(T) allows to unguard the encoded source term continuation 
and ensures that all following evaluations of I return _L. The message r'(±) indicates an aborted simula¬ 
tion attempt and allows to restore I for later simulation attempts. Once a lock becomes ±, all request for 
its computation return X. 

3.1 Abbreviations 

We introduce some abbreviations to simplify the presentation of the encodings. We use 


[x^A]P = Y\acA[x = a]P 
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reserved names 

purpose 

a, a' 

announce the ability to perform an action 


(translated) source term channel, channel from the left/right of a parallel operator 

1, II, Ir 

lock, lock from the left/right of a parallel operator 

1' 

re-instantiate a positive sum lock 

r, Tl, Ir 

request the computation of the value of a lock 

r', r',-, r'L, t'r 

simulate a source term step and unguard the corresponding continuations 

n 

order left announcements for the same channel that need to be synchronised 

s, s' 

distribute right announcements that need to be synchronised 

b 

Boolean value (± or T) 

T 

fresh name used to announce T-steps that result from concealment 

once 

used by the centralised encoding to avoid overlapping simulation attempts 

m 

fresh names used to encode internal choice 

d 

fresh names used to encode divergence 

tj 

used to encode Boolean values 


Table 1: Reserved Names. 


to test, whether an action belongs to the set of synchronised actions in the encoding of the parallel 
operator. As already done in ifldlfTSll we use Boolean valued locks to ensure that every translation of 
an action is only used once to simulate a step. Boolean locks are channels on which only the Boolean 
values T (true) or _L (false) are transmitted. An unguarded output over a Boolean lock with value T is 
called a positive instantiation of the respective lock, whereas an unguarded output sending _L is denoted 
as negative instantiation. At the receiving end of such a channel, the Boolean value can be used to 
make a binary decision, which is done here within an IF • THEN • ELSE -construct. This construct 
and accordingly instantiations of locks are implemented as in II141I151I using restriction and the order of 
transmitted values. 


^(T) = i{tj)rt i{i.) ^ i_{tj).f 

l_{b).lFbTliEN PELSEQ = {Vt,f)(l{t,f) \t_.P\f.Q) 

We observe that the Boolean values T and _L are realised by a pair of links without parameters. Both 
cases of the IF • THEN • ELSE --construct operate as guard for its subterms P and Q. The renaming policy 
(p reserves the names t and / to implement the Boolean values T and _L. 

3.2 The Algorithm 

The encoding functions introduce some fresh names, that are reserved for special purposes. In Tabled] 
we list the reserved names ^ and provide a hint on their purpose. Moreover we reserve the names 
{.T; I / € N } and assume an injective mapping tp' : ^ {xi\i ^N} that maps process variables of 

CSP to distinct names. The renaming policy tp for our encodings is then a function that reserves the 
names in ^ U {.r,- | / G N } and translates every source term name into three target term names. More 
precisely, choose (p : such that: 

1. No name is mapped onto a reserved name, i.e., (p{n) n {iMVP {.r,- | / G N }) = 0 for all n G 

2. No two different names are mapped to overlapping sets of names, i.e., (p{n) n (p{m) = 0 for all 
n,m^ ,yV with n^m. 
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We naturally extend the renaming policy to sets of names, i.e., (p{X) = { (p{x) | x € X } if X C 
Let ((xi,... ,x„)) .i = Xi denote the projection of a n-tuple to its /th element, if 1 < / < n. Moreover 
(X)./ = { (x)./1 X G X } for a set of n-tuples X and 1 < / < n. 

The inner part of our two encodings is presented in Figured] The most complex case is the translation 
of the parallel operator [[F||a 2JJ that is based on the following four steps: 

Step 1 : Action announcements for channels c ^ A 

In the case of actions on channels c ^ A—that do not need to be synchronised here—the encoding 
of the parallel operator acts like a forwarder and transfers action announcements of both its subtrees 
further up in the parallel tree. Two different restrictions of the channel for action announcements 
a from the left side [[FJJ and the right side [[2]j, allow to trace action announcements back to their 
origin as it is necessary in the following case. In the present case we use a' to bridge the action 
announcement over the restrictions on a. 

Step 2: Action announcements for channels c G A 

Actions c G A need to be synchronised, i.e., can be performed only if both sides of the parallel 
operator cooperate on this action. Simulating this kind of synchronisation is the main purpose of 
the encoding of the parallel operator. The renaming policy (p translates each source term name 
into three target term names. The first target term name is used as reference to the original source 
term name and transferred in announcements. The other two names are used to simulate the 
synchronisation of the parallel operator in CSP. Announcements from the left are translated to 
outputs on the respective second name and announcements from the right to the respective third 
name. Restriction ensures that these outputs can only be computed by the current parallel operator 
encoding. The translations of the announcements into different outputs for different source term 
names allows us to treat announcements of different names concurrently using the term Synch (c), 
where c is a source term name. 

Step 3: The term Synch (c) 

In Synch (c) all announcements for the same source term name c from the left are ordered in order 
to combine each left and each right announcement on the same name. Several such announcements 
may result from underlying parallel operators, sums with similar summands, and junk left over 
from already simulated source term steps. For each left announcement a fresh instance of s is 
generated and restricted. The names s and s' are used to transfer right announcements to the 
respective next left announcement, where s' is used to bridge over the restriction on s. This way 
each right announcement will eventually be transferred to each left announcement on the same 
name. Note that this kind of forwarding is not done concurrently but in the source language a term 
P1 1.4 2 also cannot perform two steps on the same name c G A concurrently. After combining a left 
and a right announcement on the same source term name a fresh set of auxiliary variables r, l,r' 
is generated and a corresponding announcement is transmitted. The term Sim reacts to requests 
regarding this announcement and is used to simulate a step on the synchronised action. 

Step 4: The term Sim 

If a request reaches Sim it starts questioning the left and the right side. First the left side is 
requested to compute the current value of the lock of the action. Only if T is returned, the right 
side is requested to compute its lock as well. This avoids deadlocks that would result from blindly 
requesting the computation of locks in the de-centralised encoding. If the locks of both sides are 
still valid the fresh lock I returns T else _L is returned. For each case Sim ensures that subsequently 
requests will obtain an answer by looping with I' or returning _L to all requests, respectively. The 
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IPIUGJ = (va',(9(A)).2,((p(A)).3)( 

(va)(lP| I *a(c,x).([cG (9(A)).1 ](^(^(x) | [c ^ ( 9 (A)) .l]i^(c,x))) 
(va)(lG| I *a(c,x).([cG ((p(A)).l](^(^(x) | [c ^ ((p(A)) .l]7(c,x))) 

I ricGASynch (c) I *^(x).a(x)) 

Synch(c) = (vn) (n{{(p{c)) 3) 

I *n(s) f ((p(c)).2 (rL, II,t'l) • ( (vs') 

*s(rR,lR,r'R).((vr,l,r')(a(((p(c)).l,r,l,r') | Sim) | s'(rR, Ir,t'r)) 

I (vs)(n(s) I *s((a).s(x)))))) 

Sim = (vT) I *\\ (^r. I kXb). (^IF b THEN | Ir(^) . b 

THEN (I(T) I r^(^).(FL(^) l^(^) I IF Z; THEN *r.I(±) ELSeF)) 

ELSE (I(±) I ?^:(A)) I *rJ(±))) 

ELSE (i(A) I *rJ(±)))))) 
mieyCi^PiW ^ (vr,l,r'i,...,r'„) (r.I(T) 

I Uiey (a((c,).l,r,l,r';) | .IF ^ THEN (^P,JJ | *r.K±)) ELSE r.i(T))) 

F(^)Ail - (^a')((^3>^)(ii^il I *^{c,x).{[c = z]a'{'i,x) \ [c / z] a'(c,x))) | *a((x).a(x)) 
F/(^)F - (va') ((va,z) ([[PJJ I *a(c,x) [c = {(p{x)) .1] a^(((p(z)) .l,x) 

I [c i dom(/)]7(c,x))) I *^(x).a(x)) 

^DIV| ^ (vd)(d I *d.d) 
m-p]\ 4 {v(p'ix))(y(x)\*(^iP\\) 

iPneJ =(vm)(m.lP]j|m.leJ|m) 

ISTOPJ =0 
=/ 

where ^ (<p(A)) .1 is short for G (fn(P) Ufn(2)) \ (<p(A)) .1, ^ dom(/) is short for G fn(P) \dom(/), and 
/ z is short for G fn(P) \ { z }. 


Figure 1: An eneoding from CSP into CCS with value passing (inner part). 
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messages r'L(±) and r'R(_L) cause the respective underlying subterms on the left and the right 
side to do the same, whereas r'L(T) and r'R(T) cause the unguarding of encoded continuations as 
result of a successful simulation of a source term synchronisation step. 

3.3 Basic Properties and Translated Observables 

The protocol introduced by the encoding function in Figure [T] (and its outer parts introduced later) sim¬ 
ulates a single source term step by a sequence of target term steps. Most of these steps are merely pre- 
and post-processing steps, i.e., they do not participate in decisions regarding the simulation of conflict¬ 
ing source term steps but only prepare and complete simulations. Accordingly we distinguish between 
auxiliary steps —that are pre- and post-processing steps—and simulation steps —that mark a point of no 
return by deciding which source term step is simulated. Note that the points of no return and thus the 
definition of auxiliary and simulation steps is different in the two variants of our encoding. 

Auxiliary steps do not influence the choice of source terms steps that are simulated. Moreover they 
operate on restricted channels, i.e., are unobservable. Accordingly they do not change the state of the 
target term modulo the considered reference relations rs and r^cs- We introduce some auxiliary lemmata 
to support this claim. 

The encoding [[-JJ translates source term barbs c into free announcements with ((p(c)) .1 as first value 
and a lock I as third value that computes to T. The two coordinators, i.e., outer encodings, we introduce 
later, restrict the free a-channel of [[-JJ. 

Definition 6 (Translated Barbs). Let T G such that 35. [[SJJ|=^tT, 35. |5]] I=^tT, or 35. (|5 Di=^tT. 
r has a translated barb c, denoted by T i[[.]]c, if 

• there is an unguarded output a{((p(c)) .1, r, I, r') —on a free channel a in the case of [[-JJ or the 
outermost variant of a in the case of the later introduced encodings [[•] and d-)—in T or 

• such an announcement was consumed to unguard an IF • THEN • ELSE -construct testing I and 
this construct is still not resolved in T 

such that all locks that are necessary to instantiate I are positively instantiated. 

Analysing the encoding function in Figure[T]we observe that guarded subterms S' of a of a source term 
5, e.g. 5 = a ^ 5', are translated into guarded subterms of [[5JJ, whereas the translations of unguarded 
subterms, e.g. 5 = 5 '||a 5", remain unguarded. 

Observation 7. 

Let 5,5' € such that S' is a subterm of 5. Then [[5']] is guarded in [[5JJ iff S' is guarded in 5. 

We also observe that an encoded source term has a translated barb iff the corresponding source term 
has the corresponding source term barb. 

Observation 8 . For all 5 € it holds 5|c iff 4|[.j]c- 

All instances of success in the translation result from success in the source. More precisely the only 
way to obtain / in the translation is by [[/ JJ = /. 

Observation 9. For all 5 € it holds 5J,/ iff [[5j] J,/. 

The simplest case of a step that cannot change the state of a term modulo rs, is a step on a restricted 
channel that is not in conflict with any other reachable step of the term. 

Lemma 10. Let T, T' G and T \—)-t T' be a step on an unobservable channel such that no alternative 

step of T or its derivatives is in conflict to the step T \—>-7 T'. Then T ~ T'. 
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T = (vc)(c(z) I *c{x).Ti I c{y) \ T^) 

r = {vy){Ti [z/x] I *c{x).Ti I c(3;) | Tj) P' = (vc)(c(z) | Ti \^/x] \ *c{x).Ti \ T3) 

Q' = {vc){T,[z/x] I Ti\y/x] \ *c{x).T, \ T,) 

Figure 2: Diamond Property. 


Proof. Let be the reflexive closure over the set of pairs (r, T') such that T 1 — T' is a step on an 
unobservable channel and no alternative step of T or its derivatives is in conflict with the step T \—>^7 T'. 
We show that is a bisimulation. Let (T, T') € We have to prove the following four conditions: 

1. T I— P' implies 32'. T'^xG' AP'^Q': 

Without loss of generality assume T 1 —:>x T' reduces c{z) and *c{x).T\ (the case of non-replicated 
input is similar). Then T = (vc)(c(z} | *c(x).T\ \ T 2 ) and T' = {vy){Ti[z/x] \ *c{x).Ti \ T 2 ). 

IfP' = T' then choose Q' = P'. Q'\=^jQ' and P' « Q' follow from reflexivity. 

Else if T I—>^x P' is a step on c, then, since there are no conflicts with T 1 —:>x T', the two 
steps reduce different outputs on c but the same replicated input. Hence T 2 = c(y) | Tt, and 
P' = (vc)(c(z) I Ti\y/x\ I *c_{x).Ti \ Tf). Then T' can perform this step such that T' 1 —^-x Q' with 
Q' = {vc){Ti[z/x\ I T\\y/x\ \ *c_{x).Ti \ Tf). Also P' can perform the same step as T 1 —^x T' such 
that P' I—>^x Q' (compare to Figure |2l). Since no alternative step of a derivative of T can be in 
conflict with this step, we have (P', Q') € 

Else there is c' / c such that T 2 = c'(y) | c^(v).r/ | Tj and P' = (vc)(c(z) | *c{x).Ti \ T[^/v] \ Tf) 
(the case of replicated input is similar). Again T' can perform this step such that T' \—:>x Q' with 
Q' = (vc)(ri [z/x\ I *c_{x).Ti I T[\y/v] \ T^). Also P' can perform the same step as T 1 —)-x T' such 
that P' I—>-x Q'. Since no alternative step of a derivative of T can be in conflict with this step, we 
have {P',Q')€^. 

2. T' I—^x Q' implies 3P'. T^^P' A P' « Q': 

Choose P' = Q'. Then T 1 —)-x T' 1 —>^x Q' and, by reflexivity, P' rs Q'. 

3. P^/iffP'^/: 

Once success is unguarded it cannot be removed. Accordingly the step can only add an unguarded 
instance of success, which then is reachable from T. By 1. and 2., T and T' can reach the same 
occurrences of success. 

4. r%.|«iffP'%.|,: 

Since there are only outputs but no inputs on the free variant of a, steps can produce but not reduces 
free announcements. Every free announcement introduced by T \—^x T' is also reachable in T. 
By 1. and 2., T and T' reach the same translated barbs. 

□ 

Many auxiliary steps implement the forwarding of announcements. They are steps on restricted 
channels such that there is always exactly one replicated input on this channel. This ensures that these 
steps cannot be in conflict with other steps of the encoding and thus do not change the state modulo rs. 

Proposition 11. Eet P, T' G .^x and T \—)-x T' be a step on a restricted channel c such that the only 
input on c in P and all derivatives of P is exactly one replicated input. Then P Ri P'. 
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Proof. Two steps reducing the same replicated input (but different outputs) are not in conflict with each 
other. Thus T cannot perform a step that is conflict with T \ —)-t T'. Note that replicated inputs are never 
removed. Since this replicated input is the only input on c in all derivatives of T, no alternative step of 
any derivative of T is in conflict with T \ — T' . By Lemma [TOl then T ^T'. □ 

Variants of the channels r, tl, and tr do not carry parameters. For channels like these, a conflict can 
only result from two steps that reduce different (replicated) inputs, because the derivatives can differ only 
due to different continuations of the respective inputs. 

Proposition 12. Let T, T' G and T i— T' reduce a restricted c such that no value is transmitted 
and there is at most one input or replicated input on c in T and all derivatives of T . Then T k,T' . 

Proof. Since there is always at most one (replicated) input on c, alternative steps on this channel can 
only compete for different outputs. Let T\=^t:T\. Since in outputs have no continuation and because 
c does not carry a value, the continuations of two steps Ti \—)-t T[ and Ti \—)-t T[' that reduce different 
outputs on c but the same (replicated) input are structural congruent, i.e., T/ = T[' . By Lemma [TOl and 

because all other steps on different channels are not in conflict with T\=^'yT', then T k,T' . □ 

The encoding propagates announcements through the translated parallel structure. In the translation 
of parallel operators it combines all left and right announcements w.r.t. to the same channel name, if this 
channel needs to be synchronised. Therefore we copy announcements. We use locks carrying a Boolean 
value to indicate whether an announcement was already used to simulate a source term step. These locks 
carry T in the beginning and are swapped to _L as soon as the announcement was used. In each state 
there is at most one positive instantiation of each lock and as soon as a lock is instantiated negatively it 
never becomes positive again. 

Lemma 13. Let T G such that 3S. [[SJJ|=^tT. Then for each variant I of the names I, II, Ir 

1. there is at most one positive instantiation of I in T, 

2. if there is a positive instantiation of I in T then there is no other instantiation of I in T, 

3. if there is a negative instantiation of I in T then no derivative ofT contains a positive instantiation 
ofl. 

Proof. Analysing the encoding function in Figure [T]we observe that initially no instantiations of locks are 
unguarded. Sim and the translation of external choice are the only parts of the translation that introduce 
instantiations of locks and both restrict the respective locks. 

In the translation of external choice all instantiations of the lock I are guarded by an input or a 
replicated input on r. Moreover, to unguard one of the later two instantiations within the IF • THEN • 
ELSE -construct, a step on r',- is necessary. Therefore we need an instantiation of r',-. The only instances 
of a variant of r', r',, xf, t'r are generated by Sim. There they are guarded and to unguard them a positive 
instantiation of the corresponding lock has to be consumed. This way only a single positive instantiation 
can be unguarded, but *r.I(_L) allows to obtain several negative instantiations of I if there are several 
outputs on r. 

To unguard an instantiation of I within the IF • THEN • ELSE -constructs in Sim a step on I' is 
necessary. Initially there is only a single unguarded output on I'. A subsequent output on I' can be 
unguarded by consuming a negative instantiation of r' and that requires again the consumption of a 
positive instantiation of I. Moreover, if a negative instantiation of I is unguarded, then also *r.I(_L) but no 
output on I' is unguarded. 
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Thus both cases 1. and 2. follow by induction over the number of steps in [LSJJ|=^t 2’- Since initially 
only positive instantiations of I are reachable, by 1. and 2., and because the unguarding of a new positive 
instance of I requires the consumption of a positive instantiation of I, property 3. holds. □ 

Moreover each target term contains at most a single input or replicated input for each variant of r, tl, 
and tr. 

Lemma 14. Let T € such that BS. [[5'JJ|=>tL. Then for each variant r of the names r, tl, tr there is 
at most one (replicated) input on r in T. 

Proof (Replicated) inputs on r are introduced by Sim and the translation of external choice. 

In Sim to unguard an input on r an output on I' has to be consumed. Initially there is a single such 
output. Additional outputs on I' can only be unguarded by consuming a positive instantiation of the 
lock I. Unguarding a positive instantiation of I in turn requires to consume an input on r. Unguarding a 
replicated input on r also unguards a negative instantiation of I. 

The translation of external choice initially offers exactly one unguarded input on r. To unguard an 
additional (replicated) input on r, we have to consume a positive instantiation of the lock I (to obtain an 
instantiation of r'). Unguarding a positive instantiation of I in turn requires to consume an input on r. 
Unguarding a replicated input on r also unguards a negative instantiation of I. 

By induction over the number of steps in [[5 'JJi=^tL, we can show that there is at most one (repli¬ 
cated) input on rinT. □ 

Synch (c) combines each left announcement of this action with each right announcement of this ac¬ 
tion. Therefore each left announcement—transmitted over (<p(c)) .2 to keep track of the source term 
action—^restricts its own version of s and s'. Then over each s all right announcements—initially trans¬ 
mitted over (<p(c)) .3—are received and forwarded to the next variant of s by a message on s'. Derivatives 
of Synch(c) can differ in the order in that left announcements on (<p(c)) .2 were received. Two left an¬ 
nouncements for the same action cannot be processed concurrently, but also the source term cannot 
perform two steps on the same synchronised channel concurrently. We show that the different order of 
left announcements does not matter. 

Lemma 15. Let T,T' € such that 3S. [[5'JJ|=^tL '— T' and T \—)-t T' reduces an output on 
((p(c}} .2. Moreover assume that for all steps Ti \ — T[ on a variant o/s,s', n with 35'. [[5'JJ|=^t2i it 

holds T\ ~ Tf Then T ~ T'. 

Proof The only part of [[-JJ that provides inputs on ((p(c)) .2 is Synch(c). Since (<p(c)) .2 is restricted in 
the translation of the parallel operator, T can have at most one unguarded input on {(p{c)) .2 but several 
outputs on ((p(c)) .2. Thus different steps on this channel are in conflict with each other. A new input on 
{(p{c)) .2 is unguarded by reducing the replicated input *n(s). Thus the continuations of different steps 
on (<p(c)) .2 differ by the variant of s only. Each reduction of the input on (<p(c)) .2 immediately restricts 
new variants of s and s' and provides a new output 11(5). Since all steps on variants of s,s',n do not 

change the state modulo ps and because all variants of s,s', n, (<p(c)) .2 are restricted, the continuations 
of different inputs on (<p(c)) .2 cannot be distinguished by Thus T k,T' . □ 

4 The Centralised Encoding 

Figure [T] describes how to translate CSP actions into announcements augmented with locks and how the 
other operators are translated to either forward or combine these announcements and locks. With that 
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[Pi = (va,once) ([[Pj] | once | *on^.a(c,r,l,r').(r | l(Z>).(once | IF THEN i''(T)))) 
Figure 3: A centralised encoding from CSP into CCS with value passing. 


[[•JJ provides the basic machinery of our encoding from CSP into CCS with name passing and matching. 
However it does not allow to simulate any source term step. Therefore we need a second (outer) layer 
that triggers and coordinates the simulation of source term steps. We consider two ways to implement 
this coordinator: a centralised and a de-centralised coordinator. The centralised coordinator is depicted 
in Figured 

The channel once is used to ensure that simulation attempts of different source term steps cannot 
overlap each other. For each simulation attempt exactly one announcement is consumed. The coordina¬ 
tor then triggers the computation of the respective lock that was transmitted in the announcement. This 
request for the computation of the lock is propagated along the parallel structure induced by the transla¬ 
tions of parallel operators until—in the leafs—encodings of sums are reached. There the request for the 
computation yields the transmission of the current value of the respective lock. While being transmitted 
back to the top of the tree, different locks that refer to synchronisation in the source terms are combined. 
If the computation of the lock results with T at the top of the tree, the respective source term step is sim¬ 
ulated. Else the encoding aborts the simulation attempt and restores the consumed informations about 
the values of the respective locks. In both cases a new instance of once allows to start the next simulation 
attempt. Accordingly only some post-processing steps can overlap with a new simulation attempt. 

The central coordinator respects the protocol on locks used to ensure that each announcement is 
only used once to simulate a source term step, i.e., it preserves the properties of locks formulated in 
Lemma [13] 

Proposition 16. Let T G such that 3S. [S']] I=^t 7’- Then for each variant I of the names I, II, Ir 

1. there is at most one positive instantiation of I in T, 

2. if there is a positive instantiation of Z in T then there is no other instantiation of I in T, and 

3. if there is a negative instantiation of Z in T then no derivative of T contains a positive instantiation 
ofZ. 

Proof. The encoding in Ligure [3] does not introduce new instantiations of Z. It does provide additional 
instantiations of r', but to unguard them again a positive instantiation of the corresponding lock I has to 
be consumed. Thus [•]] preserves the properties of locks formulated in Lemma [T^ □ 

Similarly LemmafTdlis preserved. 

Proposition 17. Let T G such that 3S. [S] I=^t 7’- Then for each variant r of the names r, tr, ir there 
is at most one (replicated) input on r in T. 

Proof. Lollows from Lemma[T4|and Proposition]!^] because the encoding in Ligure[3]provides additional 
instantiations of r', but to unguard them a positive instantiation of the corresponding lock I has to be 
consumed. □ 

Lemma [T5] is preserved by [•]], because the encoding in Ligure [3]does not use variants of the names 
s,s', n, and (<p(c)) .2. 
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Proposition 18. Let T,T' G such that 3S. [S'] 1=^x7’'— T' and T \—)>x T' reduces an output on 
{(p{c)) .2. Moreover assume that for all steps T\ i—)-x T[ on a variant of s,s', n with 3S'. [S'']] I=>x7i it 

holds Ti ii T{. Then T « T'. 

Proof. The encoding in Figure [3] does not use variants of the names s,s',n, and ((p(c)).2. Thus this 
Proposition follows from Lemma[T5l □ 

As we prove below, the points of no return in the centralised encoding can result from the consump¬ 
tion of action announcements by the outer encoding in Figure |3] if the corresponding lock computes to 
T. Moreover the encoding of internal choice and divergence introduces simulation steps, namely all 
steps on variants of the channels m, d, and (p'(X). All remaining steps of the centralised encoding are 
auxiliary. 

Definition 19 (Auxiliary and Simulation Steps). A step T i—^x T' such that 35 G [5'1 i=^t 7’ is 
called a simulation step, denoted by T T', if T i— T' is a step on the outermost channel a and the 

computation of the value of the received lock I will return T or it is a step on a variant of m, d, or (p'(X). 

Else the step T \—)>x T' is called an auxiliary step, denoted by T i—^ T'. 

Let |=L^ denote the reflexive and transitive closure of i—^ and let l=^ = Auxiliary steps do 

not change the state modulo ss. 

Lemma 20. T i—^ T' implies T T' for all target terms T, T'. 

Proof We distinguish the following cases w.r.t. the channel x that is reduced in the step T i—^ T'. 

1. bis a placeholder for t and /, but, in contrast to t and /, b itself is never used as a channel name. 
Also t,c,cl,cr,z, and (ip(c')) .1 for all source term names c' are never used as channels. 

2. All variants of one of the names a except for the outermost, a', I', r', Tr) n, s, s', and once are used 
as simple forwarders. If we analyse the encoding functions in Figure [T] and Figure [3l we observe 
that they are always restricted and there is exactly one replicated input and no other input on the 
respective variant in their scope. Thus, for all target terms T such that 3S. |S] 1=^ T, all steps on 

such channels satisfy the conditions specified by Proposition [H] Hence T Ri T'. 

3. The name {(p{c)) .3 is transmitted over n in Synch(-) as initial value of s. Thus, similarly to s 

because of Proposition [TTl T T'. 

4. The case of x being a variant of r, rx, tr follows from Propositionand Proposition [T tI 

5. The case of x being a variant of (<p(c)) .2 follows from 2. and Proposition [18] 

6. Variants of the names t,/ are used to implement Boolean valued locks and an IF • THEN • ELSE - 
construct testing such locks. By Proposition [161 there is at most one positive instantiation of each 
lock and by definition all negative instantiations of the same lock—and also positive ones—are 
structural congruent. Since each IE • THEN • ELSE --construct restricts its own variants of t and / 
and because there is never a positive and a negative instantiation of the same lock (Proposition [T6l). 
all conflicts between two steps on variants of t and / result into structural congruent continuations 
and a step on variants of t and / cannot be in conflict with any other step on a different channel of 
T or its derivatives. Because = C « and by Lemma[T0l then T « T'. 

7. Variants of the names I,Il,Ir refer to Boolean valued locks. In the centralised encoding all an¬ 
nouncements are propagated upwards—and on their way upwards some of them are composed— 
until they reach the outer layer [[•]]. once ensures that only a single announcement is processed at 
a time. A new output on once can only be unguarded by consuming an instantiation of the lock I 
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of the announcement that is currently processed. After the consumption of an announcement the 
output r triggers the computation of an instantiation of I. Technically an instantiation of a lock is 
an output on I and the corresponding inputs are part of the IF • THEN • ELSE --construct testing 
this value. Sim is the only part of the encoding that introduces such IF • THEN • ELSE -constructs 
for variants of I, II, Ir and there the IF • THEN • ELSE -constructs are guarded by an input on r. 
Each step on r unguards a nested IF • THEN • ELSE --construct testing a variant of II and Ir. Since 
outputs on variants of r,rL,rR move downwards along the translation of the parallel tree of the 
source term and because of once, no two different IF - THEN - ELSE -constructs for the same lock 
are ever unguarded. By Proposition [161 there is at most one positive instantiation of each lock in T 
and if there is a positive instantiation then there is no negative instantiation of the same lock. Thus 
a step reducing a positive instantiation of a lock cannot be in conflict with any other step of T or 
derivatives of T. By Lemma [TOl then T « T'. 

By definition, all negative instantiations of the same lock are structural congruent. Thus, since 
there is only a single IF - THEN - ELSE --construct, two alternative steps that reduce different neg¬ 
ative instantiations of the same lock result into structural congruent derivatives. All steps on other 
channels cannot be in conflict with a step reducing a negative instantiation of the respective lock. 
Because = Ck, and by Lemma [TOl then T k, T' . 

8. In the case of .r being the outermost variant of a. Definition [19] ensures that the lock I received in 
this step will compute to _L. By induction on the parallel structure of the respective source term, we 
show that the encoding then ensures that all instantiations of locks that were consumed to compute 
the instantiation of I are restored with the same truth value. This holds, because Sim ensures that 
each combination of a positive instantiated lock from the left and a negative instantiated lock from 
the right causes an output r'L(-L). This output is propagated downwards and causes the outputs 
r'L(-L) and r'R(_L) for each pair of positive instantiated left and right locks combined below. In the 
translation of external choice these outputs on variants of r', t'l, cause the unguarding of a fresh 
positive instantiation of the respective lock. Negative instantiations do not need to be restored, 
because they are introduced by *r.I(_L) that provides as many negative instantiations as there are 
requests r for them. Also, only if the lock computes to T a positive instantiation of r' is unguarded 
and propagated downwards. Since positive instantiations of variants of Kj^lT^R the only 
way to unguard an encoded source term continuation in the translation of external choice, a step 
reducing an announcement such that the respective lock will be computed to _L cannot influence 
reachability of barbs or success. Thus modulo some auxiliary steps considered above, i.e., modulo 
steps that do not change the state of the term modulo rs, in the present case T and T' differ by 
the consumption of the respective announcement only. Since announcements are not success, are 
not observable, and, because of the negative lock, this announcement is not a translated barb, the 
difference between T and T' is not observable by «, i.e., T k, T'. 

□ 

By distinguishing auxiliary and simulation steps, we can prove a condition stronger than operational 

correspondence, namely that each source term step is simulated by exactly one simulation step. 

Lemma 21. VS,S'. S S' iff3T. |Sl ^ T A [S'l « T. 

Proof. LetS,S'e^s- 

‘if’-part: Assume S i —>s S'. Then either there is some source term name c such that S S' or S i—^ S'. 
In the first case at least one action prefix c —- is reduced. The second case results from divergence. 
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internal choice, concealment, or recursion. 

1. The encoding translates action prefixes c ■ into announcements with ((p(c)) .1 as first value. 
By Observation |7] and because the outer encoding in Figure [3] does not guard [[P]J, these 
announcements are unguarded for all source term action prefixes fhaf are reduced in S 

S'. By inducfion on fhe sfrucfure of fhe source ferm, we show fhaf fhese announcemenfs 
can be fransferred all fhe way up in fhe parallel free and are combined along Ibis way— 
for each parallel operafor fhaf synchronises fwo c-acfions in fhe source, fwo announcemenfs 
are combined in fhe franslafion—such fhaf a single announcemenf for fhis acfion reaches 
fhe oufermosf a-channel. The coordinator performs a step on once and fhen receives fhis 
announcemenf and requesfs fhe compufafion of fhe lock by sending r. Since initially all locks 
are insfanfiafed posifive fhis compufafion resulfs T. As a consequence r'(T) is propagated 
downwards and ensures fhaf fhe encodings of all source ferm confinuafions fhaf are unguarded 
by S 1 -^ S' can be unguarded by auxiliary steps in fhe franslafion. Moreover r'(T) ensures 
fhaf fhe consumed insfanfiafions of locks can only be re-insfanfiafed wifh fhe value _L. Lef T 
denofe fhe resulf of fhis simulafion. 

The negative insfanfiafions of fhe locks ensure fhaf no step of S fhaf is in conflicl wifh 
S I —)-s S' can be simulafed by T and removes franslafed barbs fhaf refer fo barbs removed 
by S I— S'- The only non-auxiliary step in fhe simulafion [S'] I=^tT is the simulation 
step that consumes the announcement on the top of the tree on the outermost a-channel, i.e., 
|S] 1=^ T. With Observation m Observation |9j and because in the end of the simulation the 
encodings of the respective source term continuations are unguarded, T and |S'| have the 
same ability to reach success and reach the same translated observables. Hence [S'] T. 

2. Divergence is translated into the divergent target term (vd)(d | *d.d). By Observation IT) 
simulating S i —>s S' in this case requires only a single simulation step on the respective 
variant of d. Let T be the derivative of this step. Since the steps on d are not observable 
modulo « in this case, we have [S] T « [5"]. 

3. Internal choice Pn 2 is translated into (vm)(rn.[[PjJ | ni.[[2jj | rn). By Observation |7j simu¬ 
lating S I— S' in this case requires only a single simulation step on the respective variant 
of m. Let this step unguard [[Pj] if 51=^8*^^ unguards P and else unguard [[2JJ. Let T be 
the derivative of this step. With Observation [H Observation |9l and because the simulation 
unguards the encoding of the respective source term continuation, T and [S''] have the same 

ability to reach success and reach the same translated observables. Hence [S'] « T. 

4. In the case of concealment the source term hides a former observable action that is simulated 
as in 1. The translation of concealment only adds a restriction on c and renames the first value 
of the announcement into T such that it is never synchronised afterwards. Thus the simulation 
of S 1 -^ S' in this case is similar to 1. except for the steps to forward the announcement within 
the translation of concealment. 

5. IJ.X -P is translated into {vq)'{X))(^q)'{X) \ *(p'(A).[[P]]^ and [[AJJ = (p'(A). By Observa¬ 
tion |7j simulating S i— S' in this case requires only a single simulation step on the respec¬ 
tive variant of (p'{X). This step unguards an instance of [[Pjj. Let T be the derivative of this 
step. With Observation [H Observation |9j and because the simulation unguards the encoding 
of the respective source term continuation, T and [5"] have the same ability to reach success 

and reach the same translated observables. Hence [5'] ^ T. 

Thus, by induction on the structure of S, the encoding [•] can simulate each source term step 
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S I— S' such that 3T. [S] T A |S']1 i T. 

‘only-if’-part: Assume T such that |S] 1=^ T and |S]] « T. By Lemma 1^ it suffices to concentrate 
on the single simulation step in [S'] 1=^ T. In [S'] 1=^ T either exactly one announcement w.r.t. 
to a positive lock is reduced by the simulation step (1.), or there is exactly one step—namely the 
simulation step—on a variant of either m (2.), d (3.), or (p'{X) (4.). 

1. Since |S]] 1=^ T neither contains steps on variants of d nor m nor (p'{X), no encoded source 

term continuation in the translation of internal choice or recursion is unguarded. Let T',T” 
such that ISJ1=^ T' T" T. T' T" reduces an announcement a(c, r, I, r') such that 
the computation of I in T" will result T. By analysing the way the lock I is computed in T' we 
can conclude on the source term prefixes and fhe parf of fhe source ferm parallel sfrucfure fhaf 
is reflecfed by fhis simulafion of a source ferm sfep. Analysing fhe way of fhe announcemenf 
we can also defermine whefher a source ferm concealmenf was involved. Because auxiliary 
sfeps cannof unguard encoded source ferm continuations and by Observation |7j fhen we 
can conclude on fhe strucfure of S and consfrucf subjecf fo S a source ferm S' such fhaf 
SI— >s S' and S' resulfs from S by reducing all acfion prefixes whose franslafion are identified 
by fhe above analyse of fhe way the lock I is computed. In the S' the respective source 
term continuations are unguarded. In T" only auxiliary steps are necessary to unguard the 
translation of these source term continuations. With Lemma l20l and because the simulation 
step simulates all observable effects of the step then [5"] Ri T. 

2. Since no announcements w.r.t. positive instantiated locks are reduced in [S] 1=^ T, no trans¬ 

lated barb are removed and no encoded source term continuation in the translation of external 
choice is unguarded. Since there is no step on a variant of (p'{X), no encoded source term 
continuation in the translation of recursion is unguarded. Instead exactly one source term 
encoding—without loss of generality let us call this encoded source term |[PJJ—due to the 
translation of internal choice is unguarded. This step ensures the respective other encoded 
source term alternative of the internal choice can never be unguarded, i.e., is modulo sim¬ 
ilar to 0. This is the only effect of the steps [S']] 1=^ T that can be observed modulo 
Therefore this internal choice translation has to be unguarded in |S], because auxiliary steps 
cannot unguard encoded source term continuations. By Observation |7j then S contains an 
unguarded internal choice with P as one of the alternatives. Then S i— S' such that this 
step resolves the internal choice and unguards P. With Lemma[20]and because the simulation 
step simulates all observable effects of the step then [S''] « T. 

3. Since no announcements w.r.t. positive instantiated locks are reduced in [S] 1=^ T, no trans¬ 

lated barb are removed and no encoded source term continuation in the translation of external 
choice is unguarded. Since there is no step on a variant of m, no encoded source term con¬ 
tinuation in the translation of internal choice is unguarded. Since the simulation step reduces 
a variant of d, we have [S'] ^ T. Moreover, in this case, |DIV]] is unguarded in [S], because 
auxiliary steps cannot unguard encoded source term continuations. By Observation |7J then 
DIV is unguarded in S. Then S i— S' such that this step reduces DIV. With Lemma [20l 
and because the simulation step simulates all observable effects of the step then 

is'j « r. 

4. Since no announcements w.r.t. positive instantiated locks are reduced in [S] 1=^ T, no trans¬ 
lated barb are removed and no encoded source term continuation in the translation of external 
choice is unguarded. Since there is no step on a variant of m, no encoded source term con- 
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tinuation in the translation of internal choice is unguarded. Instead exactly one source term 
encoding—without loss of generality let us call this encoded source term |[P]|—due to the 
translation of recursion is unguarded. This is the only effect of the steps |S] 1=^ T that can 
be observed modulo fi. Therefore -P] is unguarded in [S'], because auxiliary steps can¬ 
not unguard encoded source term continuations. By Observation |7j then /iX P is unguarded 
in S. Then S i— >s S' such that this step unfolds recursion and unguards P. With Lemma [20l 
and because the simulation step simulates all observable effects of the step then 

iS'j « T. 

□ 

This direct correspondence between source term steps and the points of no return of their translation 
allows us to prove a variant of operational correspondence that is significantly stricter than the variant 
proposed in P6l. 

Definition 22 (Operational Correspondence). 

An encoding enc(') : is operationally corresponding w.r.t. C if it is: 

Complete: V5,5'. S^^S' implies 3T. |5]1 A {S'j « T 

Sound: VS, P. |Sl \=^rT implies 3S'. S\=^sS' A {S'j « T 

The ‘if’-part of Lemma [^implies operational completeness w.r.t. and the ‘only-if’-part contains the 
main argument for operational soundness w.r.t. Ri. Hence I ] is operational corresponding w.r.t. to 

Theorem 1. The encoding !•] is operational corresponding w.r.t. to ~. 

Proof. Completeness—VS,S'. Sl=^S‘^^ implies 3T. |S] I=^tP A |S'] T —follows from the ‘if’-part of 

LemmaEUand an induction on the number of steps in Sl=^S‘^^- 

Soundness—VS, T. |S] I=^tP implies 3S'. Sl=^S‘^^ A |S'] « T —follows from Lemma l20l the ‘only- 
if’-part of Lemma EH and an induction on the number of simulation steps in |S] I=^tP- D 

To obtain divergence reflection we show that there is no infinite sequence of only auxiliary steps. 
Lemma 23. The number of steps between two simulation steps is finite. 

Proof. Let T be such that 3S. |S] I=^tP- There are only finitely many unguarded translations of en¬ 
codings of source term operators in T. Let T' be the result of unguarding all translations of source term 
parts that can be unguarded using only auxiliary steps in P. By induction on the number of simula¬ 
tion steps in [S] I=^tP the number of such auxiliary steps is finite. Since we consider only sequences 
P T' 1=^ ... without simulation steps, no derivative of P' in this sequence can unguard additional 
translations of source term operators. The binary tree that results from the nesting of unguarded transla¬ 
tions of parallel operator encodings in P' and its derivatives is denoted as parallel tree in the following. 
Auxiliary steps are steps on the following kinds of channels: 

1. Since we consider only sequences P l=^ T' l=^ ... without simulation steps, there is at most one 
step on once in this sequence. 

2. Steps on variants of a,a' are used to propagate announcements through the parallel tree. Since 
this tree is finite and because the encoding introduces one announcement per action prefix, there 
are only finitely many announcements in the leafs of the parallel tree. Announcements are only 
propagated upwards to surrounding translations of concealment and parallel operators (of which 
there are only finitely many). Within the nodes of the parallel tree announcements from the left 
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and announcements from the right are combined using variants of {(p{c)) .2, {(p{c)) .3,s,s' and, to 
unguard inputs on such channels, steps on variants of n are used. By induction over the depth 
of the binary tree, we show that there are always only finitely many announcements from the left 
and finitely many announcements from the right and thus their combinations are performed by 
finitely many steps. Accordingly, T T' ... contains only finitely many steps on variants 
ofa,a',((p(c)).2,((p(c)).3,s,s',n. 

3. Steps on variants of r, tl, tr are used to trigger the computation of locks. Since we consider only 
sequences T l=^ T' ... without simulation steps, there is at most one request r proposed by 
the coordinator in this sequence. Additionally T and T' can already contain unguarded requests, 
but only finitely many. The request f from the top of the parallel tree is propagated downwards by 
pushing one or two more such requests (in some nodes) on variants of trjTr for each consumed 
request. Since the depth of the parallel tree is finite, T T' |=A 4 >... contains only finitely many 
steps on variants of r, tr, tr. 

4. Steps on variants of I, Ir, Ir, l^^,/ are used to implement and test Boolean valued locks. For each 
step on variants of r, tr, tr only a single instantiation of a lock can be consumed. By 3., there are 
only finitely many such steps. Additionally T and T' can already contain unguarded instantiations 
of locks and IF • THEN • ELSE --constructs, but only finitely many. Since each consumption of a 
single instantiation of a lock and its test in a IF • THEN • ELSE -construct requires only finitely 
many steps, T l=^ T' l=^ ... contains only finitely many steps on variants of I, Ir, Ir, IVj/- 

5. T and T' can only contain finitely many unguarded outputs on variants of r', r',, t'r, i'r. Additional 
outputs on variants of r', i'^Lj rV can only be unguarded by testing the value of a lock. By 4., 
there are only finitely many tests of locks in T T' l=^ .... Thus there are only finitely many 
steps on variants of r', r',-, i'r, Fr. 

Thus no sequence of auxiliary steps of T is infinite. □ 

Then divergence reflection follows from the combination of the above Lemma and Lemma [2T] 
Theorem 2. The encoding I-] reflects divergence. 

Proof. If |S]] is divergent then, by Lemma |23l |S] can perform an infinite sequence of steps containing 
infinitely many simulation steps. With Lemma|2ll then S is divergent. □ 

The encoding function ensures that pj has an unguarded occurrence of / iff 5 has such an un¬ 
guarded occurrence. Operational correspondence ensures that S and [S']] also answer the question for the 
reachability of / in the same way. 

Theorem 3. The encoding [[•] is success sensitive. 

Proof. From Observation |9] and Figure [H 5 4,/ iff [Sj |/. With Theorem [T] and because « respects /, 
then ^JJ-/iff □ 

In a similar way we can prove that a source term reaches a barb iff its translation reaches the respec¬ 
tive translated barb. 

Theorem 4. V5,c. S 41c iff M 41|[.j]c 

Proof. From Observation [8] and Figure [H S'lc iff M 'I'K Dc- With Lemma [2T] and because respects 
translated barbs, then S'fJ-c iff M -liK-Dc- D 
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dPD = (va)([[PjJ |*a(c,r,l,r').(r|l(Z7).lF^THENr'(T))) 

Figure 4: A de-centralised encoding from CSP into CCS with value passing. 


As proved in ifT^ . Theorem [TJ the fact that « is success sensitive and respects (translated) barbs, 
Theorem [3l and Theorem |4] imply that for all S it holds S and [S] are (success sensitive, (translated) barb 

respecting, weak, reduction) bisimilar, i.e., 5 [S]. Bisimilarity is a strong relation between source terms 

and their translation. On the other hand, because of efficiency, distributability preserving encodings are 
more interesting. Because of once the encoding [•]] obviously does not preserves distributability. As 
discussed in llT^ bisimulation often forbids for distributed encodings. Instead they propose coupled 
simulation as relation that still provides a strong connection between source terms and their translations 
but is more flexible. Following the approach in 1(1^ we consider a de-centralised coordinator next. 


5 The De-Centralised Encoding 

Figure |4] presents a de-centralised variant of the coordinator in Figure O The only difference between 
the centralised and the de-centralised version of the coordinator is that the latter can request to check 
different locks concurrently. Technically f-J and d-D differ only by the use of once. As a consequence 
the steps of different simulation attempts can overlap and even (pre-processing) steps of simulations 
of conflicting source term steps can interleave to a certain degree. Because of this effect, (j-D does not 
satisfy the version of operational correspondence used above for [•], but d'D satisfies weak operational 
correspondence that was proposed in |Q as part of a set of quality criteria. 

Similar to the central coordinator, the de-central coordinator respects the protocol on locks used to 
ensure that each announcement is only used once to simulate a source term step, i.e., it preserves the 
properties of locks formulated in Lemma [T3l 

Proposition 24. Let T E such that 35. fS]] Then for each variant I of the names I, II, Ir 

1. there is at most one positive instantiation of I in T, 

2. if there is a positive instantiation of Z in T then there is no other instantiation of I in T, and 

3. if there is a negative instantiation of Z in T then no derivative of T contains a positive instantiation 
of Z. 

Proof. The encoding in Figure |4] does not introduce new instantiations of Z. It does provide additional 
instantiations of r', but to unguard them a positive instantiation of the corresponding lock I has to be 
consumed. Thus d'D preserves the properties of locks formulated in Lemma [T^ □ 

Similarly LemmafTdlis preserved. 

Proposition 25. Let T E such that 3S. d^D 1=^x7"- Then for each variant r of the names r, tl, tr there 
is at most one (replicated) input on r in T. 


Proof. Follows from Lemma[T4]and Proposition l24l because the encoding in Figure |4]provides additional 
instantiations of r', but to unguard them a positive instantiation of the corresponding lock I has to be 
consumed. □ 
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The encoding in Figure |4]does not use variants of the names s,s', n, and («p(c)) .2. Because of that, 
Lemma [Tsl is preserved by d'l). 

Proposition 26. Let T,T' € such that 3S. (|5'Di=^t2’ '— T' and T \ — T' reduces an output on 
{(p{c)) .2. Moreover assume that for all steps T\ i— T[ on a variant of s,s',n with 3S'. (|5''[)|=^t2’i it 

holds Ti « r/. Then T ii T'. 

Proof. The encoding in Figure |4] does not use variants of the names s,s',n, and ((p(c)) .2. Thus this 
Proposition follows from Lemma[l5l □ 

Since several announcements can be processed concurrently by the de-central coordinator, here all 
consumptions of announcements are auxiliary steps. Instead the consumption of positive instantiations 
of locks can mark a point of no return. In contrast to !•]] not every point of no return in d'D unambiguously 
marks a simulation of a single source term step, because in contrast to !•] the encoding d'D introduces 
partial commitments 

Consider the example £ = (o ^ Pi □ p —)• P 2 ) ||{o,p} (o —)• Pa □ p —S' P 4 □ ^ P 5 ). 



In the example, two sides of a parallel operator have to synchronise on either action p, or action o, or 
action q happens without synchronisation. In the centralised encoding [P] the use of once ensures that 
different simulation attempts cannot overlap. Thus, only after finishing the simulation of a source term 
step, the simulation of another source term step can be invoked. As a consequence each state reachable 
from encoded source terms can unambiguously be mapped to a single state of the source term. This 
allows us to use a stronger version of operational correspondence and, thus, to prove that source terms 
and their translations are bisimilar. The corresponding 1-to-l correspondence between source terms and 
their translations is visualised by the first two graphs above, where T i |P]. 

The de-centralised encoding d^D introduces partial commitments. Assume the translation of a source 
term that offers several alternative ways to be reduced. Then some encodings—as our de-central one—do 
not always decide on which of the source term steps should be simulated next. More precisely a partial 
commitment refers to a state reachable from the translation of a source term in that already some possible 
simulations of source term steps are ruled out, but there is still more than a single possibility left. 

In the de-centralised encoding announcements can be processed concurrently and parts of different 
simulation attempts can interleave. The only blocking part of the decentralised encoding are conflicting 
attempts to consume the same positive instantiation of a lock. In the presented example above there are 
two locks; one for each side of the parallel operator. The simulations of the step on o and p need both of 
these locks, whereas to simulate the step on q only a positive instantiation of the right lock needs to be 
consumed. By consuming the positive instantiation of the left lock in an attempt to simulate the step on 
o, the simulation of the step on p is ruled out, but the simulation of the step on q is still possible. Since 
either the simulation of the step on o or the simulation of the step on q succeeds, the simulation of the 
step on p is not only blocked but ruled out. But the consumption of the instantiation of the left lock does 
not unambiguously decide between the remaining two simulations. The intermediate state that results 
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from consuming the instantiation of the left lock and represents a partial commitment is visualised in the 
right graph above by the state PCi. 

Partial commitments forbid a 1-to-l mapping between the states of a source term and its translations 
by a bisimulation. But, as shown in ifT^ . partial commitments do not forbid to relate source terms and 
their translations by coupled similarity. 

Whether the consumption of a positive instantiation of a lock is an auxiliary step—does not change 
the state of the term modulo —, is a partial commitment, or unambiguously marks a simulation of a 
single source term step depends on the surrounding term, i.e., cannot be determined without the context. 
For simplicity we consider all steps that reduce a positive instantiation of a lock as simulation steps. 
Also steps on variants of the channels m, d, and (p'{X) are simulation steps, because they unambiguously 
mark a simulation of a single source term step. All remaining steps of the de-centralised encoding are 
auxiliary. 

Definition 27 (Auxiliary and Simulation Steps). A step T \—)-t T' such that 3S € (|5'Di=^t7’ is 

called a simulation step, denoted by T T', if T i—)■ T' reduces a positive instantiation of a lock or is 
a step on a variant of m, d, or (p'{X). 

Else the step T i— T' is called an auxiliary step, denoted by T i— ^ T'. 

Again let l=^ denote the reflexive and transitive closure of i—^ and let 1=^ = l==4>i-^l==^. Since aux¬ 
iliary steps do not introduce partial commitments, they do not change the state modulo The proof of 
this lemma is very similar to the central case. 

Lemma 28. T i—^ T' implies T k, T' for all target terms T, T'. 

Proof. We distinguish the following cases w.r.t. the channel x that is reduced in the step T i—^ T'. 

1. bis a placeholder for t and /, but, in contrast to t and /, b itself is never used as a channel name. 
Also t,c,cl,cr,z, and (<p(c')) .1 for all source term names c' are never used as channels. 

2. All variants of one of the names a,a',l',r^''LTR)'^)S, and s' are used as simple forwarders. If 
we analyse the encoding functions in Figure [U and Figure ID we observe that they are always 
restricted and there is exactly one replicated input and no other input on the respective variant in 
their scope. Thus, for all target terms T such that 3S. [S']] 1=^ T, all steps on such channels satisfy 
the conditions specified by Proposition [TT] Hence T ss T'. 

3. The name ((p(c)) .3 is transmitted over n in Synch(-) as initial value of s. Thus, similarly to s 
because of Proposition fTTl T « T'. 

4. The case of x being a variant of r, tr, tr follows from Proposition IT2 \ and Proposition l25l 

5. The case of x being a variant of ((p(c)) .2 follows from 2. and Proposition l26l 

6. Variants of the names t,/ are used to implement Boolean valued locks and an IF • THEN • ELSE - 
construct testing such locks. By Proposition |24l there is at most one positive instantiation of each 
lock and by definition all negative instantiations of the same lock—and also positive ones—are 
structural congruent. Since each IF • THEN • ELSE --construct restricts its own variants of t and / 
and because there is never a positive and a negative instantiation of the same lock (Proposition l24l). 
all conflicts between two steps on variants of t and / result into structural congruent continuations 
and a step on variants of t and / cannot be in conflict with any other step on a different channel of 
T or its derivatives. Because = C « and by Femma[T0l then T k, T'. 

7. Variants of the names I, Ir, Ir refer to Boolean valued locks. Again all announcements are propa¬ 
gated upwards—and on their way upwards some of them are composed—until they reach the outer 
layer d-l). The de-central coordinator can process several announcements concurrently. Because of 
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that conflicts result from different attempts to consume the same positive instantiation of a lock. 
However auxiliary steps can only consume negative instantiations of locks. By definition, all neg¬ 
ative instantiations of the same lock are structural congruent. Moreover the encoding ensures that, 
as soon as the first negative instantiation of a lock is unguarded, as many negative instantiations of 
this lock are available as there are requests of it. The test of a negatively instantiated lock—that 
consumes an instantiation and reduces an IF • THEN • ELSE --construct—always reduces to the 
ELSE --case such that the inner part of a nested IF • THEN • ELSE --construct is not unguarded. 
Any unguarding of a IF - THEN - ELSE --construct also releases a request on the tested lock. Thus, 
if there are two negative instantiations for the same lock, it does not matter (modulo structural 
congruence) which one is reduced by a IF - THEN - ELSE -construct. Similarly, if there are two 
IF - THEN - ELSE -construct testing the same lock, both can be processed concurrently and it does 
not matter (modulo structural congruence) which consumes which instantiation. All steps on other 
channels cannot be in conflict with a step reducing a negative instantiation of the respective lock. 
Because = C rs and by Lemma [TOl then T « T'. 

□ 

In contrast to the centralised encoding, the simulation of a source term step in the de-centralised 
encoding can require more than a single simulation step and a single simulation step not unambiguously 
refers to the simulation of a particular source term step. The partial commitments described above forbid 
for operational correspondence, but the weaker variant proposed in Q is satisfied. We call this variant 
weak operational correspondence. 

Definition 29 (Weak Operational Correspondence). 

An encoding enc(-) : is weakly operationally corresponding w.r.t. f«cs C if it is: 

Complete: VS,5'. S\=^sS' implies 3T. (lS[)l=^Tr A ^S'D «cs T 
Weakly Sound: VS, T. ^SD^t^ implies 3S', T'. S\=^sS' A T\=^jr A ^S'D «cs T' 

The only difference to operational correspondence is the weaker variant of soundness that allows for 
T to be an intermediate state that does not need to be related to a source term directly. Instead there has 
to be a way from T to some T' such that T' is related to a source term. 

Theorem 5. The encoding (|-|) is weakly operational corresponding w.r.t. to ~. 

Proof. Completeness: VS,S'. Sl=^S‘^^ implies 3T. (|S[)|=^tT A (|S'D T. 

We consider a single step Sl=^S‘^^- Completeness then follows by induction on the number of 
steps in S\=^sS'. 

Assume S i—)-s S'. Since |-] and (|-|) differ only by the use of once, the simulation of source 
term steps is similar except for the one step on channel once. Hence the existence of T such that 

(|5'Di=^tT and (|S'D ss T can be proved by adapting the ‘if’-part of Lemma [2T] w.r.t. the step on 
once. 

Weak Soundness: VS, T. implies 3S', T'. S^^S' A T^^T' A ^S'D i T'. 

By Lemma |28l it suffices to concentrate on the simulation steps in the sequence (|SDi=^tT. The 
proof is by induction on the number of simulation steps in the sequence (|SDi=^tT. 

In the base case —without any simulation steps in (1 S[)|=^tT— choose S' = S and T' = T then 

S^sS', and, by Lemma|28l ^S]) = (jS'D kT' = T. 

Assume that there are Sh,Th such that S\=^sSh, T\=^'yTh, (1S//D Th, and T\=^jTh contains 
only simulation steps necessary to resolve partial commitments {induction hypothesis). 


M. Hatzel, C. Wagner, K. Peters, U. Nestmann 


25 


Consider (|SDi=^t2’ T” . 

1. A simulation step T T" that consumes a positive lock can result in partial commitment, 
but only in the case the respective reduced IF • THEN • ELSE --construct was the first part of 
a nested IF • THEN • ELSE -construct and the second part tests a lock I2 of that a positive 
instantiation is (modulo auxiliary steps) still available. Switching the positive instantiation 
of I2 into a negative instantiation—regardless of which IF • THEN • ELSE -construct is used 
to do so—^resolves the partial commitment. The sequence (|5 '|)|=^tT might already introduce 
several more of such partial commitments. Proposition |24]ensures some important properties 
over the instantiation of locks but it does not ensure, that for all locks there will eventually 
be an instantiation available. Only IF ■ THEN • ELSE -construct consume instantiations 
of locks. After being reduced, they restore all positive instantiation they consumed or turn 
them into negative instantiations. Negative instantiations remain available. Thus, to ensure 
that there are no deadlocks and all partial commitments can be resolved, we have to show 
that IF • THEN • ELSE -constructs cannot completely block each other. In the case of the 
centralised encoding this follows from the use of once. In the de-central encoding we make 
use of the same technique already used in |[T7ll20l to avoid this problem. As proved in 
uni, because we always consume first the instantiation of the lock from the left the nested 
IF • THEN • ELSE -constructs cannot all be blocked and we can resolve them step by step. 
In the present case the step T 1 -^ T" might consume an instantiation of a lock that was 
necessary for the sequence T\=^'yTe- If that is not the case, no step of T\=^'iTu is in conflict 
with T 1 -^ T”. Because of (j^'D Th, Th does not contain unresolved partial commitments. 
Hence we can choose T' as the result of performing all steps of T\=^t:Te in T" followed, if 
necessary, by a sequence with a single simulation step l=^ to resolve the partial commitment 
that may result from T 1 -^ T" such that T 1 -^ r"l=^TT'. Then choose S' = Sr, if no 
additional step was necessary to obtain T', else T 1 -^ T" and the additional simulation step 
are all simulation steps of the simulation of a source term step reducing action-prefixes and 
we choose S' as the result of performing the respective source term step in Sr- Thus 51=^8*^^- 

Because of IISr\) ^ Tr and the construction of S' and T', we have (|S'D « T'. 

Else, if there is a conflict between T 1 -^ T" and a step of T^^jTr, choose T' as the re¬ 
sult of applying all but the conflicting step (and all auxiliary steps that depend on this step) 
of T^^jTr in T" followed, if necessary, by a sequence with a single simulation step l=^ 
to resolve the partial commitment that may result from T 1 -^ T". Because the induction 
hypotheses ensures that T\=^'iTr contains only simulation steps necessary to resolve par¬ 
tial commitments, there are no simulation steps that depend on the conflicting step and all 
other simulation steps of T'f^'iTr can be transferred to T". Thus T 1 -^ T"'f^jT'. As 
a consequence of this replacement the simulation of a single source term step is replaced 
by the simulation of another single source term step. Choose S' as the result of replacing 
in S\=^^Sr the respective source term step such that S \=^ S'. Because of (|S//D Tr, the 

construction of S' and T', and Observation |7j we have d^'l) T'. 

2. A simulation step T 1 -^ T" on a variant of m unguards exactly one source term encoding— 
let us call it [[EJJ—due to the translation of internal choice. This step ensures that the re¬ 
spective other encoded source term alternative—let us call it [[2JJ—of the internal choice 

can never be unguarded, i.e., is modulo ss similar to 0. This is the only effect of the steps 
T 1 -^ T" that can be observed modulo «. Since the encoding restricts each variant of m, the 
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only step that can be in conflict with this step is the step unguarding [[2JJ. Because steps on 
a variant of m do not resolve partial commitments, T\=^jTh does not contain such a step. 
Then, because T can perform the step, also Th contains (modulo structural congruence) the 
unguarded subterm (vm)(ni.[[PjJ | j]l.[[2j] | rh). By Observation |7] and because p/zD Th, 
then P n 2 is unguarded in Sh- Hence we can choose S' by replacing P □ 2 in 5// by P such 
that S\=^sSh '—>s S' and we can choose T' by replacing (vm)(rn.[LPjJ | rn.[[2j] | m) in Th 

by [[Pj] such that T r"l=^TP^ By Observation |7j because of (|SzzD Th, and by the 
construction of S' and T', then d^'D T'. 

3. A simulation step T T" on a variant of d is due to the translation of DIV. In this case 
T « T". Then, because of T'^^'^Th, there exists T' such that T"'f^'iT' , T"\=^'yT' has the 
same simulation steps then T\=^t^Th, and Th ~ T'. Thus we can choose S' = Sh- 

4. A simulation step T T" on a variant of (p'{X) is due to the translation of recursion. In 
this case T T" unguards exactly one source term encoding—let us call it [[PJJ. This is 

the only effect of the steps T T" that can be observed modulo «. Since the encoding 
restricts each variant of (p'{X) and the only input on this channel is replicated, this step is not 
in conflict with any other step of T or its derivatives. Because steps on a variant of (p'{X) do 
not resolve partial commitments, ri=^x2// does not contain such a step. Then, because T 
can perform the step, also Th contains (modulo structural congruence) the unguarded subterm 
(v(p'(X))^(p'(X) I *(p'(X).[LPj]y By Observation |7] and because (|5'z/[) Th, then jxX P 
is unguarded in Sh- Hence we can choose S' as the result of replacing jxX ■ P in Sh by 
P[(/rX -P) /X] such that S\=^sSh ' — S' and we can choose T' as the result of replacing 
{v(p'{X))(y(X) I *(p^(X).^Pjj) in Th by {v(p'{X))(y(X) \ *(p'{X).lP]\ \ ^Pjj), where all 
occurrences ofX in P are translated to (p'iX), such that T T"\=^tT'. By Observation |7J 
because of dS'//) Th, and by the construction of S' and T', then d^'D T'. 

□ 


As in the encoding [•]], there is no infinite sequence of only auxiliary steps in d^). 

Lemma 30. The number of steps between two simulation steps is finite- 

Proof In contrast to I-]], also the consumption of announcements by the coordinator is a simulation step 
for d'l). Since there are only finitely many announcements, consuming them does not lead to divergence. 
Because of the consumption of announcements, the coordinator can release several requests r, but again 
only finitely many. Accordingly, the sequences of auxiliary steps can be longer in d'l), but all such 
sequences result from interleaving finitely many sequences of auxiliary steps of I-]]. Apart from these 
observations the proof is similar to the proof of Lemm£^3] □ 

Moreover each simulation of a source term requires only finitely many simulation steps (to consume 
the respective positive instantiations of locks). Thus d'D reflects divergence. 

Theorem 6. The encoding d'D reflects divergence- 

Proof If d^D is divergent then, by Lemma [30l d^'D can perform an infinite sequence of steps containing 
infinitely many simulation steps. Simulation steps either directly represent the simulation of a source 
term step—as in the case of recursion, divergence, and internal choice—or reduce a positive instantiation 
of a lock. Instantiations of locks are consumed by IF • THEN • ELSE -constructs. These constructs are 
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guarded by requests r. By Lemma [30l without simulation steps only finitely many requests and thus 
instantiations of locks can be consumed. Simulation steps can only lead to new requests if they unguard 
the translation of a source term continuation, but then the simulation of a source term step was completed. 
Hence, if l\S\j is divergent, then S is divergent. □ 

The encoding function ensures that dSO has an unguarded occurrence of / iff S has such an unguarded 
occurrence. Operational correspondence again ensures that S and (|SD also answer the question for the 
reachability of / in the same way. 

Theorem 7. The encoding d'D is success sensitive. 


Proof. From Observation |9] and Figure 01 Si/ iff d^'Di/. With Theorem [5] and because ii respects /, 
then SJj./iff d^Di/. □ 

Similarly, a source term reaches a barb iff its translation reaches the respective translated barb. 
Theorem 8. VS,c. S JJ-c iff d^D 


Proof. From Observation [8] and Figure 01 Sic- iff dSDi|[.j]c. With Theorem |5] and because « respects 
translated barbs, then S IJ-c iff d*^!) JJ-lf-Jlc- D 

Weak operational correspondence does not suffice to establish a bisimulation between source terms 
and their translations. But, as proved in IfTSl . Theorem[5l the fact that is success sensitive and respects 
(translated) observables. Theorem |71 and Theorem [H imply that VS. S and [S]] are (success sensitive, 

(translated) barbs respecting, weak, reduction) coupled similar, i.e., S f«cs d*^!)- 

It remains to show, that d'D indeed preserves distributability. Therefore we prove that all blocking 
parts of the encoding d'D refer to simulations of conflicting source term steps. 

Theorem 9. The encoding d'D preserves distributability. 

Proof. The de-central coordinator in Figure 01 computes announcements concurrently. The test of locks 
is technically an output and steps on t and / are restricted such that these steps are never in conflict to any 
other step. Thus the de-central coordinator itself does not block the concurrent simulation of distributable 
steps. 

In [[-JJ all blocking, i.e., all not-replicated inputs, are on variants of (<p(c)) .2, r, I, II, Ir, m. Two steps 
on the same variant of ((p(c)) .2 belong to two simulation attempts of source term steps on the same 
action that needs to be synchronised by a parallel operator. Since such steps are also not distributable in 
the source, their simulations do not have to be distributable. 

Two steps on the same variant of one of the names r, I, Ir, Ir belong to simulation attempts that need 
to consume the same positive instantiation of a lock. Thus these two attempts clearly try to simulate 
conflicting source term steps. Hence again the two simulation attempts do not have to be distributable. 

Similarly two steps on the same variant of m clearly belong to two simulation attempts of conflicting 
source term steps. Thus again they do not have to be distributable. 

We conclude that the simulations of distributable source terms are distributable, i.e., d'D preserves 
distributability. □ 
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6 Conclusions 

We introduced two encodings from CSP into asynchronous CCS with name passing and matching. As 
in ifT^ we had to encode the multiway synchronisation mechanism of CSP into binary communications 
and, similarly to lIT^ . we did so first using a central controller that was then modified info a de-cenfral 
confroller. By doing so we were able fo Iransfer fhe observations of ifT^ fo fhe presenf case: 

1. The cenfral solution allows fo prove a sfronger connection befween source terms and fheir frans- 
lafions, namely by bisimilarify. Our de-cenfral solufion does nol relafe source terms and their 
translations that strongly and we doubt that any de-central solution can do so. 

2. Nonetheless, de-central solutions are possible as presented by the second encoding and they still 
relate source terms and their translations in an interesting way, namely by coupled similarity. 

Thus as in ifT^ we observed a trade-off between central but bisimilar solutions on the one-hand side and 
coupled similar but de-central solutions on the other side. 

More technically we showed here instead a trade-off between central but operational correspond¬ 
ing solutions on the one-hand side and weakly operational corresponding but de-central solutions on 
the other side. The mutual connection between operational correspondence and bisimilarity as well as 
between weak operational correspondence and coupled similarity is proved in ifTSl . 

Both encodings make strict use of the renaming policy and translate into closed terms. Hence the 
criterion name invariance is trivially satisfied in bofh cases. Moreover we showed fhaf bofh encodings 
are success sensitive, reflect divergence, and even respect barbs w.r.f. fo fhe sfandard source term (CSP) 
barbs and a notion of franslafed barbs on fhe fargef. The cenfralised encoding !•]] addifionally safisfies a 
varianf of operational correspondence fhaf is sfricfer fhan fhe varianf proposed in [6|. The de-cenfralised 
encoding (-I) safisfies weak operational correspondence as proposed in ||6l and distributability preser¬ 
vation as proposed in ll2T1l . Thus bofh encodings satisfy all of fhe criferia proposed in [til excepf for 
composifionalify. However in bofh cases fhe inner parf is obviously composifional and fhe outer par! 
adds only a fixed confexf. 
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